Member Sues LinkedIn for $5 Million over HackSuit: Failure to Protect Website Shows Troubling Lack of Security
An Illinois real estate sales associate and member since 2010 of LinkedIn, which experienced a theft of some 6.5 million hashed passwords [see LinkedIn Has Neither CIO nor CISO], has filed a $5 million class action lawsuit against the social network for failing to encrypt the passwords and other personally identifiable information.
"While some security threats are unavoidable in a rapidly developing technological environment, LinkedIn's failure to comply with long-standing industry standard encryption protocols jeopardized its users' PII, and diminished the value of the services provided by defendant - as guaranteed by its own contractual terms," according to the lawsuit filed June 15 by Katie Szpyrka in federal district court in San Francisco, near LinkedIn's Mountain View, Calif., headquarters, and posted on the website Courthousenews.com.
LinkedIn, in a response from spokesman Hani Durzy, suggests the lawsuit is frivolous. "No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured," Durzy says. "It appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."
The suit alleges that LinkedIn failed to adequately protect members because it stored passwords in an unsalted SHA hashed format, which Szpryka contends is an outdated hashing function first published in 1995 by the National Security Agency. By storing passwords in hashed format without first salting them runs afoul of conventional data protection methods and poses significant risks to the integrity of users' sensitive data, the suit says.
Hashing refers to a cryptographic process in which passwords are converted into an unreadable, encrypted format. Salting involves a process in which random values are combined with a password before the text is inputted into a hashing function, significantly increasing the difficulty of deciphering the resulting encrypted password.
The suit cites reports that said hackers breached LinkedIn serves through an SQL injection attack. "If true," the suit says, "LinkedIn's failure to adequately protect its website against SQL injection attacks - in conjunction with improperly securing its users' PII - would demonstrate that the company employed a troubling lack of security measures. ... Had LinkedIn used proper encryption methods, and a hacker were able to penetrate LinkedIn's network, he would be limited in his ability to inflict harm."
Three days after the hack was disclosed with the posting of the passwords on a website, LinkedIn fessed up to the breach. "Too little, too late," Szpryka says.